Changing password through Kerberos/ Kerberos Error codes

Russ Allbery rra at
Mon Apr 8 12:20:12 EDT 2013

Arpit Srivastava <arpit.orb at> writes:

> 1. Before prompting the user to change the password, I want to check
> whether the password is about to expire or not. My server is Windows AD
> and I have set the password lifetime to be 2 days (which is less than 7
> day as per Windows standard for sending the password expiry
> notification).  For that, I have registered a callback in
> krb5_get_init_creds_password but what is happening is callback api is
> being called again and again. And TGT is fetched in the background. What
> could be the reason for this ? Moreover, no message/banner is coming in
> prompt callback function which is unexpected.

The krb5_get_init_creds_password callback, if you're referring to what I
think you're referring to, is intended for prompting, not for intercepting
messages from the KDC (although it can also do the latter).  If you
provide a prompting function, you'll have to deal with the prompts (such
as passwords).  But I'm not sure I understand what you're explaining; more
details might be helpful.

> 2. I made the password to expire on my Windows account. and now checking
> the krb5 error code returned by krb5_get_init_creds_password. Ideally,
> it should come out to be KRB5KDC_ERR_KEY_EXP butwhat I am getting is
> KRB5KDC_ERR_NEVER_VALID . What could be the reason for this behavior.

That error message supposedly means that you requested a negative lifetime
for the ticket.

Russ Allbery (rra at             <>

More information about the krbdev mailing list